Installing Ubuntu Linux Server
To install Ubuntu 20.04 LTS, download the server install image from the Ubuntu Releases page. For more information on the installer and options of the installation wizard, see the official Canonical guide.
During installation process, consider the following Veeam recommendations:
- Before you boot the installer, enable UEFI secure boot to prevent unsigned Linux kernel modules from being loaded.
- In the GRUB menu, select the Boot and Install with the HWE kernel option to support the latest hardware.
- At the welcome screen of the installation wizard, select the language for the installer and the default language for the installed system. For troubleshooting purposes, it is recommended to select the English language.
- At the Installer update available step of the installation wizard, select the Continue without updating option.
- At the Keyboard configuration step of the installation wizard, set up the keyboard layout used in your backup infrastructure.
- At the Network connections step of the installation wizard, do the following:
- If you have several network interface cards, create a bond to provide the network failover in case of connection issues. For the bond mode, select one of the following options:
- balance-rr (if you use EtherChannel without LCAP)
- 802.3ad (if you use EtherChannel with LCAP)
- active-backup (for other configurations)
- If you have only one network interface card and cannot create a bond, assign the static IP address to the network interface to reduce the risk of connection issues, for example, with the DHCP server.
- At the Configure proxy step of the installation wizard, specify the proxy server if required.
- At the Configure Ubuntu archive mirror step of the installation wizard, leave the default mirror address.
- At the Storage configuration step of the installation wizard, follow recommendations from CIS Benchmarks for Ubuntu Linux 20.04 LTS STIG for partitioning.
For the operating system, use the ext4 file system. Example:
For the backup data, use the XFS file system. Example:
To be compliant with DISA STIG UBTU-20-010414, you do not need to enable disk encryption for the operating system. To protect data in backups, use Veeam Backup & Replication built-in encryption instead. For more information, see Storage Settings.
After you add partitions for all disks, click Continue in the Confirm destructive action window to apply changes. Note that all data on the disks will be deleted.
- At the Profile setup step of the installation wizard, specify a hostname and a user account that you will use to connect to the Linux server. Mind that by default it will have sudo permissions. After you add a hardened repository to the backup infrastructure, you must remove this user account from the sudo group. For more information, see Post-Installation.
- At the SSH Setup step of the installation wizard, select the Install OpenSSH server check box. The OpenSSH server is required to be compliant with DISA STIG UBTU-20-010042 and for deployment and upgrade of Veeam Data Mover.
- At the Featured Server Snaps step of the installation wizard, do not install any additional packages. Click Done to start the installation process.
After the installation finishes, remove the installation media and reboot the system.
For post-installation, consider the following Veeam recommendations:
- To be compliant with DISA STIG UBTU-20-010009, set a password for GRUB. To configure the setting manually, do the following:
- Create a password using the grub-mkpasswd-pbkdf2 command:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.C0F70D240A8BC5C1BC4E1303EC4F040957C1AF1BB8E99EED573133D3A017BE9B2BB48E52577A141B3A6952527A9D1BEF13E2BB29978DA71F2D867EBB03545021.C4E81CAE7B464E78B15DF0A578B63BAB3A0CB180C311AFA5A85F6245800D11D40B37B817C3F30348EE603AF725B7E09B98A291114B0206D[…]
- Add a user name and a password hash at the end of the /etc/grub.d/40_custom file:
password_pbkdf2 root grub.pbkdf2.sha512.10000.C0F70D240A8BC5F[…]
- To disable asking for credentials after rebooting the system and require them only when editing boot menu entries, open the /etc/grub.d/10_linux file and add the --unrestricted parameter to the CLASS variable:
CLASS="--class gnu-linux --class gnu --class os --unrestricted"
- Update the GRUB configuration:
- To be compliant with DISA STIG UBTU-20-010455, disable all wireless network adapters, as described in this DISA STIG article.
- If you do not use the proxy server and the Linux server has outgoing HTTP internet access allowed, limit outgoing HTTP traffic to the Ubuntu servers only or use an internal Ubuntu mirror. To receive Linux security updates, there must be the access to the Linux distribution security update servers.
- For the separate directory that you created for the backup data, allow access only for the user account you created during the installation. Use the following commands:
- To assign the directory's owner:
chown -R owner:group <dir_path>
Both owner and group must be the user account you created during the installation.
- To allow access to the directory only for its owner and the root account:
chmod 700 <dir_path>
- To be compliant with DISA STIG UBTU-20-010012, you must have only two users:
- The root account. Note that by default the root account has a blank password and cannot be used for connection.
- The user account you created during the installation. This account will be used to connect to the Linux server and deploy required Veeam Backup & Replication components including persistent Veeam Data Mover, or transport service. For more information about Veeam Data Movers, see this section.
By default, the user account you created during the installation is the member of the sudo group and has enough privileges to deploy and install required Veeam Backup & Replication components. In that case, when you add a Linux server as a hardened repository to the backup infrastructure and specify single-use credentials, you do not need to enter the password for the root account. After the repository is added, you must remove the user account from the sudo group to make it a non-root account. To do this, perform the following steps:
- Allow the user account to reboot and shutdown the operating system:
sudo bash -c "echo 'user1 ALL = (root) NOEXEC: /usr/sbin/reboot' >> /etc/sudoers"
sudo bash -c "echo 'user1 ALL = (root) NOEXEC: /usr/sbin/shutdown' >> /etc/sudoers"
- Remove the user account from the sudo group:
sudo deluser user1 sudo
Note that the next time you log in with this user account, it will lose sudo permissions. if you need to execute commands as a privileged user, you must boot the operating system into the single user mode.